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MEMORANDUM FUR 

FROM: Cfregory/H. Fnedman 

Inspector Gener&l 

SUBJECT: [MPQEMAHON : EwaJtltittfeth RSjpiSttQfii" fThcASPpMftiElifs 

Uncfe-y ifiiiodCotter^fed-OTity ftflb : 

BACKGEOOltM) 


To help aoosriiiiitillMhitfcssttofiiggicggay sriifilAaraHsaafafeflafsasetier^r^ientffinamhthfethe 
environment!,, tttellfcfpattiiBnPUUliha^iimiiiimeraHimteteiRraaBQfi^^mpTiilpiitiBa'tKwti^sdffiland 
individual spttams. WrttaldH'yaUlbtithihOU^^^^Rt'^'StotLsiaiyaimciiia^nglwgJijhjahjiid:ted 
to sopIh)jL^iiiateiicatta'd<ksckisHigDdd(t® KraiMaim.\feti4.'s<EKrUKi tmeueiMncQsi ctki oh sraspeeping i ng 


missiioim;a»aoiiiuttati\\’ittlihsBaccssl‘ifFJitatitdok0ioiirUrLtKUSin(3iimdr)Ti(poate(i:gingarpeQitad)jial, 
pei^mJlyiiiteifFaMlieaiiddDdtheBaaMtitwddatfircfmianooBpnqnmBaisOvChadtttHethe 
Department te^pa££tt5tO3irr)'esBt)SJeEftS t 2S5iTnhlii](l)it)niiHiFjat:Vc¥edFfFjY())(Mj06itQ)pra:tteicl:t its 
annual $2 Wiliam i nv\as£tmaiD li nn i nfomtiaittmoM ttedinidbgyyreeeotucss. 

The Federal Jntfimmatkm Securntty MtaiBggffmati tV&c (IfFS MVLflhpwj diries (a)cwpn^rehsmi ve 
framework Ifoir ejraurnggtlbb ee fifed tisnums e lofcsjuri ny toy xrKWrtfavls'Ofv e r infomlatteam nsssasumms 
that suippmtt Fdaiiirctllappetationaiadd‘■assets AAiseqrajitiddaldl}! MUM fbptfMIGflide of 
Inspector CSaiB^laaMalalnattaBrannnulairial^ ttesietehnnindiethetlthe the 

Depart mtflntt'ssiuirdlia«ifi(idcL'^hbeK(senrit\tpipmgrarBtkd|aqualte|y([Htrffi'teodatdatadind 
informadiorai sgsStenss. TillssiioDinamdulmi]Di|aRenlKitthdKcrakisltd' ofrouvakiatumithr for 
FY 2«M. 

RESULTS (OF EEWAIII MTffiBM 


The DepMttiniinittltiatita&oiiiaiuirihbt'nfcfteFTS'^^^te^hdtisics'b^ihsa'cinJtvrp^spflisliiie. 
During the llaflt \^sax,i t tliaakl daucbhddi a ybdescsnmii&y trjc ratailfali d ah qrnr (grraigm am chnd li s du ed 


steps, wie©(Miitriiuatlt{rxxbfeect% , ddhGkaiHric(etiititF>3pKpodeidsit3'it;iiatiilc:‘jd^<satetlrQKcto an 
increased riLdkitffumnppnamsse. In several lOfXflxltsntimKeriinrittlipg^parhi'letlltl^mpip'tmtled 
in 2005.. !§tpHcniIijedllyf(f)®t20O06\\wf(fHjiiiahdlithat: 




In spite ©if ncuimitti mppcmitima nuts ri rropprtitiigigiotbthtoxlo^dxgi emdrsdiHtduidardhp the 
Departmmemtt lliaii mil tvyt teoemp jiietddi axamplpie-xvklodiei iBn&iafprjf ttf itefenrfbathation 


systems; 
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• Many system c^ruiijfimus h *lih<dch (ntJbthac ipQitt'«>|tijiimtdr(XK ^ 

inadequate in iflhMtto^lhiiiketiessemiiafebymeQtttsaa^laaaiaitrHl^eifrtfsaeseaaTicsnts 
and indepenflfatttte^iTgcrffsgeciBiiy^canntoid^; 

• Contingency pHamrniit|g, w tfcilt toeon aim gg It btifc y ytetaine <saddI dc wt inirauca- arc tohluti e 
operations iin illte©mntotlTame9i®eggeny>ocidiyasiffi;^rhMd(BiiolbdBencaop4pilede£i)for 
certain critical] ss\\satonw;amld, 

• Weaknesses exisitedliingiiyyscaij JdiggialilaQcees^aodciliiniggeGactntttoldedtgrgdettbto 
protect computer liemircessIframinautikbciaedd iratcUHiadtocin | d9s\so r>d iiLdoktautro lb f 
informaticM.. 

ContinuiinwflL^tor^aauiti^weaktoBgseesiocoriH'djdaatefeKtalnipqKtrtidfeamQ^L-ppptaHndnd 
field elementts dMmntallwqysimpjdmBnnbDppjppdyly^eemCBtexistiBtgpgd^QplariBnEiltaiidnd 
Federal cyber samnittw lBqpirEtmeciittts. In mnurniter ©ff i hstaneess,ccjlbar sBcwurity weaknesses 
exposed ttlhuuouglln i inttm ul I aantleffitAena li iee ia ©w swana*® <nBAdrfldi9S8sb ih i jd taitiety lyiamnenor or 
trackedtonesfflikttam. AVsaiaciJisecfleunectttbcfd^ppiaitTeictfn'HiilMaiiiimulnsysyatiWTaHidncl 
networks; and tte dlittattimyacintaaunrii-euraiiimtU-iRik lo£>£ cffnmpiiomiimsc. 

To help adldliessss am mi nui ngiwmktaesse s.s t lib cDl^^ameiiffliteaamtg I ^adaautheldead a 
revitalizautii©im dlflcontt dbagp®£UttxiMpp©©®ahb(nriiuang^i^mbfo£tdKy^fcicBesm'ttitytpipigigmm 
and to empthuhsiM'llniianiimtgemetniD'R's-eKppnHihliityy = through eadtn ©iftltelllMferr 
Secretaries - to ensure thai sysatomsandlcliatuiiMKildcitltibuinppaitititMtilcoMiunlxkilrarKeoEirHre. 

As part of life dfflcontt, ttte UJ^parttimeciC ti ssHodcheuwmddipcjktatfdylylifCMeKffiiritw tgugakuloace 
designed to) stlneii[^tlKnicmni-idIsc®ecithb(ce£tiififiaiabrDiaiai)dGureriithtinh:ppcegr,spapsMW)*d)rd 
management; and,, tllliii: UKScanitlonmittod) lcxf) fwinetdes slelekiecs .1 nl naddjtiboptfthOQf&ef) f 
Science's OftfiKnccoitlhifomatUiMiTbciihniixipyNlVklnagiattiteimtiniDcuiiniiouutnwidiilhdlQrfMbce 
of Health, Safld^aiirUSffl3iniiy^sQfflae®bhidelppQd£ktnC)®BiBiglgbt;an6hijltedcadininihQbe>f of 
site visits to)lhd^iilimliffyaaidJc(^tkikl 5 ly-e'gQhle'e:yfytesesao[itjtpipMbinsnsTHEbe!pi-(pi(ressB^es, 
if implemmittedl (UonTpifox-wiildc T skii>u(ddibt}ipttb cL®|«pa rtBtttnrteBed wfcvexitsti slgng oak nb messc s 
and strengjfflmm irtsscoxwrdllay^^iKecowitiyppBatra'c.TOaiddlitdiBE^sqranilemtrili iitisitaigogtgng 
efforts, we Hnase itmdte ssa^e^lreecamtBfiddtibQsi deki gnmi dot e nlnlnoaceuevaHid 1 HtoioilK) I s. 


The DepauitUmRuittandlittepirngEiiannreiklQrQDntsiltlacratt.iasiiyldekBlobqabflcjiidireieHidr'gLiiiiiidQCice 
to address OfiJiKecsffMmu^MminitaatlcfiBd^geta'qqirbimwffitMteBiDa-urgi^saciiyityveFer 
personality iidkmtiilitiHileinlffumariffion. We are in the process coil’(umtiiictingsia 
compreheuusiiwe ikl\m low c d'fed'fbutts. EBeaaasmMtksmppiMitrie totthdieyb^sesacilyi t y 
program, we are ails® iin the process rfexatdiimiiigaasgfpiaaiBawvaeA'thfaiatiTiCKa-fiflilij'ly 
examines tflte sttnteafFaEattffeaaidxHnandchacraddhlatiiBiaciaasssdidiDEjKptnlcnent. 

Due to ‘seoniit^ycaojrKhliirmtjmsgiiitomratitinrajraraispdfifiKivliibrahilitlctscHidiTldidtutJoiiBitiisibas 
been omitted (fmoimtthksiisq?nTt. Nltoaggeientibfiffifiialslatathiieitefeesxeilufaliaitled'areppvuxibded 
with deitaiiillflil iirtktiitmuiitmresgatckilmga dd q titiibdd n IrlacibiiMtlid r; suirhih imaimniyi sttataesce s , 


initiated cfflmediiw© aurtiniss. 
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MftmXGIiMtEMT REACTION 

Mltmigwntaitt at»maiiTiteddwviibhaourfi iuti rrgss amil nffiffissroimendat i on§, w@ 

itaxtu^pnatted Management's suigg^ferns i intot HtteHwoHvt xl) ft H b Qti'ppfnt. 

Mttaxttmraiit 

cec: Bteputty SSiiurauny 

Adinimtiutauiror .r&ittitonxiil Muadtear Security AdmimissttiiutiiMni 

ULti ddc lSSeeeete yy 1ft nttirarcgy 

iMddeiSSeceeJayyffiaTSnimBBs 

(Efhrdi’odiiSStdff 

CCHiiitl'I ititfornaiiaon(OWiaBr 



EwmuimnDiN fhepwot w the departments UNCLASSIFIED 

oroffiSBBDumnry program -amas___ 


IWMHUEOF 

GDBJWTTBWITS 


UUndteEBBafiEdl (Dsfeer Security Program 


lE&t tails «fl¥imsiliiinig.. .......... ll.. 

FfonomnmTndlaitiiitoms and Commeimttss.&i. 


flaBBaaimflices 

11. Scope, and Method!®)!®^.,.,,,..100 

2. ffliiBmliq|MWts..112.. 

3. Mhnng^anrocinitt Comments....I.f5. 








unclassied ctbbr 


PROG RAIMI 
IMPROVEM1 EMITS 


MANAGING CWHBBffi 
RELA1T1BID HHESIK 


Tithe Tli(j^aM'miMTtt(otrEiiiaigy (Department) contimuuodl dfintfs 
to strengthen ittsG^ltam-smuri1)^t^fflamiad<±ihddiTi][%lKm£tBtfed a 
number off moissamss ttiiiredia^vtiiliihDeatbHiitiUcsiida:la^ifchtcbxasc 
described in ©uur Evid-nkutamn Repart com tUtt'Oipfmntmnn^is 
UnclahsfymjieQyber Setnmiyyfflvcggtwtti - 2005 (DOEIIG-O7O0, 
September 2005)). Si mice I tec teeraHratfeboti t ItibclBppEtrtiaaon t 
appointed a now Qiaff Iiri'twtrraatwiJrffOndee iv\\la bdi hitt dktte b tepjp s 
to restructmnre nice nSqputtTMm)ss;qif^i)QabK(t)(€c\^^rsssca;iuiiii5y. FBor 
instance, the ReviMlimaiinniBfhhcIJdppmimmttfjlHumgyyis 
Cyber Seamit^Rhxggmbi was developed to) impruwEtdac 
management ©if tfte pmgnumianoldcnnpJihaMzd ih^ 
responsibility - throng! eadtn (oifllhe UlhdferSsseieetaiaes = to 
ensure that sw«toms;uTihcdiatoiiiniddcrtllibuirc)ppaitit]n3iJad:(aTQ)tnitil(ilrarc 
secure. Specific ( 0 Qiri]p«Tmn 6 S(xtTtltilaaT®ii);tliUatitioREdttrirt 
include: 

• Issuing new amndi ujpifetfcddaj^fecrseoutuititygaiddnoe e 
addressing sweats saudh iusoardi'limtaraiiindctiocmdilittitiniji, 
risk managemnartt. vul huraiiiUlty mnunuguimintt ,omtinggonyy 
planning, peusKwondl mamcgem®nit).t mwid e$ d de ioce sa rad d 
protection of personally idcnltMiuifelke iidloimitliam; 

• Initiating ai cxoillhrtiorati K\ocatTfnr iHoctwvcort It b eGfffi tic © 5f 
Chief InfomMiMni©Tfl'(Kmf(OKIf0)),tltM 

Safety and Seoutii^fe©ffitJBeaffI hald^oridon GOcnaighfjt, 
and the Office (oif'StduniKcttixKmifalKcyiixinDt ssirevviaitstO) 
identify aimdrmdteGyljwsmniiiyyppdjWciHsandd, 

• Improving tie gmGSKS^f&rn-^^ semuxtyy 

incidents to lkmv anffianamrail todffaxraid s. 

In yaottilitiinm,, tile Department conttiimunes to ^I'tnigiHittiriiltsckid'tfanec 
in depth apprmtdtn tt® iTretwufck]^ni)toi:t®aiin atpparatiticdtintahliNis 
helped it repel extormail atttudtesaniLlrodinscet hitteriaktobf 
propagation ©ff malicious code. wim»^(oir\wojTnvs:iiD(rasiss 
systems. These dflkojtte jffiinjqlimMnMtooiipjdKxvv^desl^idid d 
help the Departmentt rre«d hvaeeeoistiiiggvweakkiBesee sind d 
strengthen its ©wenal 11 avNhmi'smiuiity^oxgMince. 


Inventory and EvsdtouttiiMii (»tf CCiiiMLudl IhffiiTrniittionSSytt'riMs 

While the DeparMiinntsimvtMiraMaxnn ©States IhdlUpprormscLtDo 
improve its mtatai 11 a)M»r rssctur rtyjpps ffli ore c s ksti ri g g) p itofetan s 
continue to pllanae cunitiitelirdTwmaMtMin spttenssamdddiMaafctriskk 
of ufimpncsimniisc.. Our evaluation disdlttmtail tttattaa 


Details of Finding 



comprehensive iimvteTttiryyobf all ©paEatiarall infonraiMIiicom 
technology (IT) ss^taius,;miesse«iiniliiiibooippnennhM atiglsk- 
based approach to) icytterrssemr rtyy remain e dd n o am p Jatete . 
CertiHcaticom and atmediituirari (C&A) of adll (operational 
information systems had either moltIhflaiiaJonpftetetkxDtvvwcec 
inadequate. Most! ssnari iTtiaamfyy .oaim ttd shin g al ifekds^dhtaliofor 
a number of systems, risk levels ainrrdi inrt&xdhti 1 cii»mnrri> 1 1 irecuaa8ime«s 
had not been pr©>peiill>y aBHBassaiJ .i mpfldoinaa ta dd a nd detetetdd A A t 
certain sites, coiiganimiiinTisiiamLiiiniOtitkkonipppiippniMe 
measures to safcmuttdi tHtaifrsyy Stans amrthbeeesan t > f) fi ian 
emergency. These gmatssssssaaeees seotib Li b omppomint & 16 la a 
risk management stmb^yaaialdj^mWdad'itknrawisrkkdbr 
managing threats to)agnncjyappeatia)<nH,saasststsandd 
employees. 


Systems Buimmttsnw 

Even though ffeqjiwintadl llyyiHecHeekiteadi II ihfitainuttnnSferauiitJy 
Management Actt (F1SMA), the Eteipunttumnilt hiulimiM yet 
established a mompifetteiinwntm r _\<x!>tsy yfdDm.s. AAgpankctcarare 
required to develkopaisyy&tomi iweoitooyyltihniiiahidefeamn 
identification of ttteei httenffiaaass ihetween each system and al 
other systems <sr maixwsrtk^inaxtiiddhg^ 

under the control tf ttoaggmxyy. CC«imp|Woidtiwsunlry ylakatasis 
essential to) dettenminihggthteer inkk saassoiatetddwithh\sytstom 
operation and inttiamonramium with innttairvull on' external 
resources. The Dqpnittirnimt had develkjpffl^aiiKtpsitirig 
methodology and stendhrttlttoesMdMs hhicOd pprulnaicmtvwfeic 
inventory, howewen;, at< hs mpitetci raveniatxDyyxl) ff nMantniatn® n 
systems had not been established. WHiitermtsatssites 
maintained in^enttcomy iiTlfornautiicwin juts.iustdiltiasssvwas 
sometimes limite d HnaBausseaffiisaesssatthhaas iinoosistetatnt 
approaches to groupmsg syya&m^saaialdaal Aokkod fi utti aroanaefcitaDn 
information. Goxrapihiitmicii'laiaconpibtiKxwkiddiHiSDnlryysi s 
planned for Septonilter'2HSlTZ. 

Ccrtificati(0)iin atmil AanroriitMicaan 

The Department tod iTOttaompjliidddaDthhdchooaddqqaMyly 
performed cerhtfiKmtioinmidliim^eeldltiaiailfMirTdfallkjpiftrKltiiimaillD^ 
systems in accordance wiitti IfetldridIrctainildaikM)n. Sppeifi tmliffy, 
at four sites we idenffiBdlss&eoisyytotfflH£S 0 nras)Mv\khakilwwere 
core operational systems, Ifin vvfhixlEtlbh(f(MA\jip®oeEs 4i hdah ntot 
been complied. At 12 sites, organtodbmsprawdddl us wiitlhn 
documentation supporting compIkilinoiiuoif ttirctE^Avppoaecss 
for systems we sdbrttad lhn'rea'ieffi%\ .wwumtikidttklat 

many specific, ddlaiitedaaatwti©ssreqqiuiedcb^)ggiddn(Dee 
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Details of Finding 


promulgated! % ttheIlfiqpuTtn©m UiMddltbdNNiibrtfflti IHmsitiiitiaaa)!) f 
Standardly amdl TEsdhiHlbqEgyl (SH KTf Jthdchoobbea rpfri'ribnsttd. 
Based oirn (omnrtteStiiTrx;;miLkH3atppefit)fl'»niiQdclrt> > ytH®e(.0)Tlcea)(!)f’ 
Independent ©warns rdht, vveerniiteddttihut: 

• Risk categomafliiciiia^sssmrntJsotfMtidicnnatitinnsyytteiBs 
had not been perfiojiinuiil or were iimajdteqpute att si kx ssttes; 

• Certain sites iiiimonnaifill ly ilk® ttiabboaddzgooppi g g> or 
"enclave" approach tlto) cuomplltfte C&A of theiirssptems 
and grouped low rrWk s^tenssvwthltltbsea-ffqqhtrigg 
higher protection levels; 

• At five sites, ^ucciraadliittitiitom Hoiouraakdaiyvi intfitbrimintition - data 
necessary to idtantdiffyallls^jtorcatiinppfiQQtils - lacked 
sufficient detail to uuiidlnratuntltHacss'>i&toiniinddlduloniii©e 
the scope of cerfifffcattiimi ainLlciaxarccldliiiitiittMin; 

• Security planus ait sa tteswareci noaninpfii ut uno m mswig g 

critical elanmomlss, ssuudh ass rmwaldatoy \s seuniit$t yo ntrtrbl s; 

• Independent assemnmnteaaidbeffitifStatiitonrDhftlte 
effectiveness off sseaam%a£fmtoil,svwi'£ainoto(iip|dtad((i)r)i 
documented att flonnsittesassreqpiredl; 

• Annual self-assessmmortts off all systems maras mat 
performed or wane matt ipnfifrnmLliiirtiaccxixilduDeawuhh 
NIST guidbece aitt sik sittes;aawfl, 

• At two sites,, ttHne meife toil IDtei gpatitddAfc c orditili g g 
Authority, the inrcdiiwiatinil I res§pHHS i,li)W debt) taocepptig gi risk s 
associated with system(opsrmtaxamaDricygaatitiggiuthhritvty 
to operate, haid feeemi improperly delegateflttoai 
contractor offfidail.. 

Because of iitts importance to the Dtepaittirmrttsajjll^ssmiilijy 
program, the Clliiee8#liitqpHat»r(Sfi©Beaklss:uiiiiratI^y 
conducting at ssspuiaifc audl t tt dMtnmice'dil'il W \e KamTii©e tlthstatate 
of certificailioBn arfaimiadittnidmaacrasahbdfdpprtirtitEinPt. 


planning haid taenn(aMmateedj,wffioaMt)ita^ 
that had not flaiketn tflte axtf irnirraeessaayyttboeQBB reethfatatllhiffi r 
systems coiuiMi inmiiijntiiincotrimiunaccciiitoaltltppcmtinriiiittihiic 
event of cmergameyy coir di isasiter. SjbpecffdaH Wy s kt»is tie li fci ah auto t 
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Details of Finding 


recovery pUaiimss flaor ttho it Hmuiaxiidi Ic ® rotfobe ttnBjtj o K y ytstown s .1 nl n 
addition, two sittess timll i liMbkguaaieq^wiw w k»on fdoraststonigig 
and backing mgs ^stenKcmsyystentomppnBQMs.RBcimnt 
events such ais ttHnecdumigteaassxoditedd^ 

Katrina and KttadbmoimtmtetttedinmpjpiitiaaDcmbiiTfflMiiatiaiiiiiiiiigig 
robust ccoMiiiiirgtamy (japaHil hyy. Itoddqquidtcooritiagwy 
planning <DsxdM(^b^imitoiiigg:wmidakbpperiiitiMi6)]Dr 
potentially lteuil tto dire 1 imsoi fcirtfauii i n fr traimid n> 13 hdsMidl d 
unforeseen anti unplanned events such ass tth«wco«atnr. 

Security Controls 

While the DtegMmtimjnUh&st^ 

and correct pnewiisuKl^y l-Epsnrtetlddd'lidauDiac.s j tifccnti huotcte&lo 
experience psMams im tHteaaeaasod) faaeeess:onntrtxl,s, 
segregation rf dtos^,anidc3Sjnff^BaaikMimranaggnnafflrit.Tirdwg5e 
controls, ^miai%ima5giiz££tlaasestabBilghhtggii)bselahffi€dbr 
many othar *a£ULni% ormtmtts ,;aeeesseonitih I do p pntedigi g 
systems froitnn umaitthnrtesfl or nrfirii©nt«modlffcaaii(i»iB9(l)o 
systems or mnlfcomnutimr). 

Access Contrdlss 


Even though ‘dttess cuoimat&dlm®a£ tc xb' It hbciiace cs .c c otrtrl) I 
problems mqpxonteil last year, testing idknti illBriiwmkkiraeseGsatit 
four sites dkirinirg ttiiKS>yeui\sea\'iiiiaaiia)a)n. SStonggiad diimirttftMiQiila I 
controls <ssff life ttjg® aareesssert tal lldxn ie«H a niitig g HfataB nhl y 
authorized indMidlMte^maasaassstiUiTBC^MaiitloDByytsainn 
resources.. CbMtoibiirtllissaateiaaccxBBiaBbhfcbthlppi.i^giadalaffldcl 
logical measures dksi^iudlttoppncteetcoaMpptderegisuiraescs 
from unauJhcomisttxil modification, lkoms, con di kcJ 1iranee. Iln 
particular, we molted several I i mtfcmtes svxhbearcs khc d ill (harlot 
comply with IDtepiaittmantdl policy:: 

• Two sites hMMhrrik,sasaliysiffissEddaaridioioriggiatil 
vendor default paisswoiTdks. tHuKseay'joxsimigg ttbontct(t hh tr mils k 
of lunaithimized asscmssttodtadkafflES aumd operating 
servers; 

• Three sites hadljparsawirriistliaatweeeamKDthhnggddititeset 
intervals or weme mstt affs&ifffodteit tsttcaiggltih andd, 

• At another site, mmoiTnattit 1 hgjmaattemppi swwurmnot 
restricted, am important control desiigraxail ttogrrevvemt t "brute 
force" access tthmougHn itq)rcitteLlp3ias.wM)dcl;guesHigg. 
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One site als® HnatH molt iimif'foiTniffitlssiili'tTa'Ciion Uacees strei'erew & fior 
the users of fitts gpnsiall &tpp®rtsyys<teiiin. TEbesa-trekrawsuare 
essential to dfettemiinew'ifiMttermeerswhbaioddogcgehitay a a 
valid need to areaEffls iirti'oirmatumssy6il:oms,saubhiaslthiifl)i!ilgliK)jlo)h 
changes ear mesitgnuiiions ,areedtoi<tddaacees adct Hbsseyytstam s. 

Configuration! Mnna^nmttaatiidOIihitgedlonntebls 

ConfiguiattikMi limra^mitEmtaaMldchlaaggecoontFbliKSSties 
continue to Iteaipraltitari and outr evailluuuhwi i titan iffidd 
weaknesses salt smuniicolfttteLl)^iiatttinn«hK's,ftUcsXj6oiirt)tal6)f)f 
this type help coik^iiix' tHitttoiipnppiiJite rappjbilcjatibnsi and dvssyeteim s 
are managed to [pii(mnntaiutl|proteilia«aaiinHBt wntutHiirrkadl 
modifications aindi ante eesssntiid It toaacooiDddhntetddind iltstnag) g 
security polliiqy.. WeeinntelljiiroHltannssauhhiasinot: 

• Replacing oir luijpdtuliigissdtUvaa'vvvtihlfchnMvWn 
vulnerabilities - a process generality' lbnow.ni ajsppaatxfch 
management. Unless properly cxompihtttdl^^st&tmsiiatee 
exposed to am ittmiaaBgdlif s&koffaattokkoancompptmraffie 
because availlaibite snisuii tyy upsfctofcesaaeemcD tipp |i hdcb o n sere 
not executed ian atdmtdty'mjtnnMcr. 

• En s u ri ng dnalt dkuitjgss ito > syyt&rmso® rappjbibati On n sverere 
properly irnimniatandl andtamtt'nMckLI. Ghhaggccontitorblisstbee 
process that iimaiiuge-niinittu},®ssttJ)ialtiiiMitlij ; ycldoutiiBntiiiEi(rtcl 
authorize dhaumgess to am IT environmenm. IFwiraxrnnpifc, 
one site's dmmiinmiittitituncLliLlnaxBtcliiiwiiinKnHnianialtteit 
software champs MuUbemnoiMisssstoitlttyapppaJwgdtb^y 
authorized pejrs&MWidl priamtobfeinggiimpfdniTantEtdd. AA 
system at awdlittii sstti'dlLUiniHHmvahbeaadilihlpgpgg 
function euailblbHll, at IfeiuturetHiUtpsrmDiitstltibcaadbons 
performed by uiKffiiss wiitti ipiivlb^clLlaacc'xunntSctifhbc 
monitored. Wiitlhoutt iprtpiariahiuTgecxxmMiDi^.s j ndiki iddadsl s 
may create amdpittittttopmdluflioMi imptapBii,', 
unauthorized, coir imdimtouKsprngr tan iimddliiluatitH'in.s. 

In adUlitiioinv caomfiguration standards immL'sssimy ItVmnmui'mg 
uniformity anmd iufl^puioyiinttteltevstlcxh'IccxiiiipptilCFcscctitky 
across the cwmipltc*\\vnicemotu£imit£ctii-iiD.!. Akltbog^hrmpurocld 
by Departurmamt amdi (OJtfuntc tfl^Wlcnaiagcrmuiti tuidcBB dcieet 
(OMB) guidainMte, \we IfauTiUtHiatlfournffingaiiiiitatilcMtH^hddinot 
adopted miimiumumsstmu¥ityu£imTigiuiniiia)it3rKKturidai'ds./\A,lsi), 
two organizadkomslhudmoti narihddddpp<Deeddr»E9iirthtunr 
security plants <gox\totrriingIhcw^ t todtaunnetibnddsekkipppnwlaI 
for necessary devajatfawBsffoam . 


Oelaiilsof Finding 




cyber seomnmw 

PROGRAM! 

MANAGBWBWTT 


Implementation] coif Cyber Security Rffl^miiieaimrtfes 

Departmental onnganizations did not almaip, emsnte tHadt 
Federal cyber seounintw nsqgi lBinttmtsB^aautinnun ppb discs, 
and controls woe' aufeqjiatfc^yi irriqlxkTOQiQitdctuidcL'ooniststKi'tiit 
with Federal! reqiuiiineinejnKsjmasUTi(i)®thtW\bly\l'iielxlcl 
organizations aiimdl i^ililyaamiaajttms. ffinie&ampjilgatathiie 
direction of the 0!liliu&' ®ff SSararoeq .imnyyxt> liti4?4'ilaIdd tides 
inappropriately apipiliBrdMMri-BcpureiiTOaaini.'fdioKatdggriHkigg 
system risk levels aittdaggl|yhggaE»resfpftBldlinggeeoritjty 
controls, resulting ini s^bmssbteigg^pooicmddattaolhwecilia^tl 
than needed. Many suites al ksoai tH®rrdldlniQxDlcompidtn cr> nr 
adequately docramm aomplfatlaMnocf fsecaiuiljyy:ontit)btelstsligig 
and evaluations, Siinri 1 luilly, MNaatlcaral INNiutekm lSSea lit jt y 
Administration ((MINISA) site officials ©anttiimiffloti Uni mtlcaJntc 
that they were iieq|inDiedltfi)cuonpi(yv\vthi[ s W®^\:y_hbcstscuriryly 
policy, as opposedlttsxmKalngMfSTreqatiinecimntsLs.Hllwweeiqr, 
our review disclosffliltttettrraxWNlSS^stechhddfitiii^y 
implemented the Instead, many 

NNSA field sites xweraegsamittedd to tfcoJIlkoww ai ltm,stHiirmigfch 
certification annuli accreditation process that ditil mcltinnilutedl I 
NIST or NNSAneqgirKmentfcs. 

In adUltiiomtottlhie issues noted above, the IDtepraittiminttHMlIiTaitt 
yet completed the piffiBsesso^'mwdiffjragg'fiaffilti^pppErtitigg 
contracts to imieconipmatteal 111 fcehteni lccyfaar sseauiiily 
requirements. Although (diirarhK\asaindqm^inm gjniKtlunueance 
generally i nconpcoiraitoil im(Own t uaxMxuilftqqiuiiromotst s 
Documents and apgmttiteiltto sitelfacility managamant 
contracts, we learamil tlhitttlhedDfRimxffSSdeeneeanddhb e 
NNSA had not ensuunaaii tfhituHi KSipna'cess\miasL' 0 <[iirp|dUldd'ci'r)r 
FISMA, OMB, andMKTa^ltersmwiiyyLeepfiiiieBinnttts. 
Including these req|uiinrarmtnksi ma|q«rnainngjcxantmDtssi vdriddal 


As with previons yearns, ttheipnttllxtmscdMdd un >u li r 
report occurred, at feast i in [putt,Haecauset Kibe 
Department's orgaumfeui i mss UimUitm ta&fwayy axenaurd dltiniat 
Department and flesfeiail uy^hm'sxxmi^^ 
properly impletraiattUid. TUteeGHEIBDaiiechladchnotemp^dtetofed 
required indepamdkmi vemiflaaatcari andl vaffidfatfimi aettwitess 
necessary to mcomitteir(AjhwjrssxffluittytTpeftIwniiria n c a > b (xprogram 
elements. Finally, tike Dlgputtnaxm t hand imoit tamumUtllMit 
organizations i^toufedaindtlmldeetlt toes sddititicimUlty^ter 
security weaknesses iinittefflkncdtAldMinaanldVMdgtsto®es 
(POA&M) database. 


Page 6 


Details of Finding 



to the success tf ttftne cyber securing pttctannn wHwnoarae 
considers that wiimtu ui 1 t^y ttl 11 tr f fl hbcLJ^ pp rrattrt e a tl ' hit iQ^ai r ^ r- 
facilities are ntanKagail aniUct|r|araii4dLlTtyy:otinta'auti:H',s . 


Our evaluaticom alls® di isd fcaseldt hha ti hbeOSKKDQh faddi <nt) t 
regularly perfemnmedi independent! 'jc«ariiltittitii r*iriitniUvviilakdiiittMin 
(IV&V) actiwiittiiess emanlulktxm^ldiuutiiigglibGiddqqiuay y>f)f 
cyber security ptoigrurn [pot furmnoec. While we learned iteat 
some IV&V work was pralfeTmedldium^ISMy>20O053Qn 
selected system caiTttiilfouitxnxsiaaaktiocrcddntitxoKi.sfihdiiigi'gs 
from these etflfcoiitlss wanaenBawtreaiieddaiadd. CXDffifi hi W fifrorahtih e 
OCIO explamedl ttHtutt ttteyy i nffornadd-eeppo Rib M cp p ipgriaorn 
officials off ifeffikifflind^idtenlfftddbbititihddclkknrnoasttoter 
action to ensmne tlthutt tttffi ffmfih§gsvmear<reobledd. AftHhingteh 
officials indicated tfhitt ntBaddJtiaxnnli lv«©ckknnhfataaree;hMd 
been performed, they aikottdiLliwstltihattltb®>i n nloddddcto 
perform aimewiiew of a sample off centdlfcatitwiamU 
accreditation pffldb^sdliithg22ffi)®6. fWfiweeegraathhaitnmofof 
our evaluation, nnrunugamemtinffironmaddiHalthttt it was unable to 
complete the pUamnsil lmMmwslieeouiseuxtj fodtfaeppjtesisigg 
concerns. 


Lessons ILeaimimtl 


Similar to pdkibnKsi^urrteLllf)®itlbbddas!r,Qescrhi'®«H:silliie 
Department had mod ailkv.at.yxs sfiaiedd j aktei ritliitedel andditralefai cl 


Specifically, the Depart meitntl didliTT«t;dlv«vysiueahlaccybbc r 
security POA&M tnrnniggmBxmttod) idn i WsTraakiramn 
advantage and had yetttt® permitt prasgiairndbarntantsttosilMee 
vu I nerabi I ity infoirimruttiiori Ifurl tessxnRsI dauira dejop imposes. 

While one of the mmtipoxv^ertUllrhaatocssxtiftltibalduthbaisQsiitgs 
ability to track the stMiBoeffoy^teirseeoiD-rhy weaknesses to 
resolution., its wafluffi Hneas beam 11 miMck bbcau us cnnotill I f i hdihgfgs 
were included ium the dfeteli»s®eaaiakli ntrcxDrecc t itii dtli g glstlatw s 
was mainttaiimed. Our evaliwatfam ltavetlkUthMl: 


• Four sites did molt ante a POA&M to ttoadk andlreprott 
security weaknesses tttatt werecdJsscxvieceddmtamaliy y. 
These sites (CMJly itiiadtetlcffirepiDXDttckk6Cutiirtiy>uwtttikecs ( fi 1 'Cs 
identified by externai amggari raa icons s ,s au h In as hb d3fffi£ie©f) f 
Inspector General 

• Four of 25 cyber smuiit^y weakkresseesreppcdatddldring g>mi r 
Fiscal Year (FY)) 2005 evalluiuilikm waresiiintreaswcMctkiMilcl 
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Details of FiimKdfirmgi 



tracked in the dtedaiha^,amtiassaac©meq^eeDep,\wca'aioDt 
included in <qpa<itenlsJtatissrefpffltSsuJc OEM1B - 


RESOURCES AND 
DATA REMAIN AT 
RISK 


RECOMMBNfDVTTQHfB 


• One of 8 repeat findhnsps titettwereerBeisssiitekii inn iPJf 200B5 
was marked a* eianflitetetiirnthlae POA&M dbatatoaseaEwean 
though it had molt aiuludli\lTtee©nco<i)rfctadd. 


Even though the IDtejpattraxmtliaasnnnddqipmptH'essnn 
addressing cyter-rel tutail ijmWttems ,t lbher n kkt It hunk s 
information , net tvw kk s aadd Hi b aid ut a h by y <s rmti aoi n 

may be compnomi issH mmati its shliigjtbc it It h n m ece tsattj'.y. 

Withomitl aim iimaieaKeiinflmwssuuihhmaltihuConramplJiltalatdln]nltibc 
now-in-process a^lmjTss^un^reevtAiil/taiittnnpIlun ,ittiss 
unlikely that the nii^\willtt®essiteManitiMy'yeddaedd.AAsvW]iith 
other Federal ag^iniia^sanitlc^rpninmcciialikecutoncggaiwiatiiam s, 


the risk that setmsi ti ms ap«rMtcfflmlil ppeseonliK1 >iddnti t'itiibieleandid 
other sensitive hmfoTrmntoinccxHiliddjbeaaceesedcbDeefiltftitattd 
by malicious entities. /^i1 1 tfsct tinraaccxt) fcxau te s?y til utit>ont,ttihe 
Department Hnatdl Itemn subjected to 02 ssigriffuanttuyffecr 
security incidkM.ss,(uon>aKttngjppihnniaiuli^y)6t'atttunr|qttstitx) 
compromise iiinilfcoiimuUumh^y iwmiauttiwni vasill users, mahcwouss 
code, and weinrat 6 diuTiit 5 gHW 2 OT 06 — a 22 percent increase 
over last year. Dimadla^piatenrrotoLvvcimaaHiiffsddauffa'ahlaialelc 
information technology resources witiheiiaiMtettBa^teeradittiskks 
from internal amdl ©atonal 1 sraucessandcfcouMciaes It I1 n idstet a 
tampering and dfaiuptt ton affarit icaJi tappeattitio b s . 


To correct the nseattitossasi ittettfiadci nitltln aeppnrtind d 
improve the effftmti weiiaswiflttteeD^ppuittinBurif x: yhbc secmi tyt y 
program, we rec®inmnffiridtltotth®e(Ihlia£fIM(fkmrHtitiQn(Sfff<beer, 
in coordination with the AdminiMtiaitoi^Il^^^attel-IiMbii’r 
Secretary for Sciemee, aiRdtHRdfmlfeTf&CTCtiiyyl dic'itElhnnrgy: 

1. Correct, thiuoxau^ln tine i mpifematntMtoxnirxxf) f tnunugpm«ntl, 
operational, aumdtedlmiaiill controls, each tftine 
specific v u 1 nearaMitti ass i diant ifeetli nntkhssreppdnt. 

2. Ensure that c^lto^3mrii^^iiikn®eccM®eid)ppdcb^yhhe 
Department arnncdl ipirognami offices is in dfimeatl 
compliance wiitlHn guidance. 

3. C omplete the pseess offiraMdl'iynigitieellioiiiilN y 
operating contiiiuxttss tt© i m«ijp>mnteaAl IHeddeaikl G^ttsrr 
security requiromaitte. 
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ReeominniermdMiratns 



4.. Perform compliant sraiMittfifiigattJiIVr'ilifsttoaMwe 
tthe adequacy of cc^tow security program pafetmance, 

5. Ensure that the P0A&M imarag^ttramtt&afl) t <j ^wedddo 
fits maximum advantage %v idkmtifyitjgiitaaktnggcto 
resolution, and shariimiigcjtterrssaatrriOywakkeesses 
across organizational dtensntts. 


IMlMUOMEiHfVENTT The Department)! agtmiiwiithttteihfforraattetn casmtahteti 

HEROTDDN in the report and cxomuimadlvwtHieettxHictifthbcsppeUiiijc 

recommendations,, it added that it would take appropiafe 
follow up action arodi cxQrniirutettowfrfkktlii mdppasosdtttsytyfeer 
security posture. 


mWMBFR 

Bums 


W '%).IMI nil 


Management's crmmnmntKsai^im < potmj;i'ea(txi>utir 
recommendatienm. 


Reraanmn^ and Goirmumiente 


Appendix 1 

OBJECTIVE 


SCOPE 


METHODOLOGY 


To determiime mtirelterllteD^MttnBUtiki^fEEBEsrg'y's 
(Department)) tLlnsiad ileitiCC i^iecutnrti^ >P Hsjjgiim n 

adequately jwrsteaMldtotaaa^ 


The audit mas ipatfnTimUHwweenn rahuuimy2)Wfei3oratl 
September 20®J®> att sst3 k ^etrB^l lII^)|a»ttHna4aiD Udoatibosns. 
Specifically, wcpTutforrmUimiiiassssttiiBuntiCtHhc 
Department's third hisfi ilettlCG-iTlec iSScoarnhsPRugigiiam .Tfirhe 
evaluation iiimdhdkdlat 11 irritictlrcs vaswM )f> f g^rwKl I and 
application (controls in areas such su$ emititKywviitfcseoxuiitit'y 
planning and inHrra|^aTimtt,aa«^sscoont®ld^app\il^tii®n 
software dewelkopnemt iuntlcxHaMgea-cxnnitiM^ .s and cl aarks: c 
continuity.. Ounr \wjQtkdldinffi®timBMddeiaddEafiriiriantatii®n)fc)f 
whether voalli)toaMiiiie®f6j!Ujaldvwe£eeaaCdiaU^)eKp^idil)et±dialid 
used to ci rcummentt axi sJihjgccMttcdri s. TlibcJCTDffifie©f> f 
Independent Oversight performed a S£pntattere\\iBxwaff 
classified and nrutti to mil I sssxnrriyyi miftfonmutio r*y yMran s. 


To accompEAitfteaiuditaby^dh'epiwee: 

• Reviewed afffcillfi be I ItiVvSSiHiaLlddlitecdHve sppct&irimg goto 
cyber security aiidl iidfoTTmimn tedtannd bgjy ressawcessssnafah 
as FISMA. 0MB (GimdirrrMl B®0( (Vjoppndikx III)), and 
Department CMkir2051I" 

• Reviewed afpilKaititesStoidiadisatiKfc^giddnaeQsimoddb^y 
NIST; 

• Reviewed mine IDktpmttnent'tssaveeaiU Icylpbc security 
program mmannagement, policies,, pnonaadliiEKs, amii qr nail ices s 
throughountt tlite oaigpmkaiasr); 

• Assessed conillnfflilsoManTrettvaDkkoqiipcatiitoinafandciy^Kmitoto 
determine the difi(taliN>flnBS,ssre(Hulteldl(tx)saMguLirdiJigg 
inform atom liitwuinms llTnniimaamldb®f/iedd n ttianoWi rad d 
external souiitcs&k; 


• Evaluated sdtondlHEfeaaiippatteBli'cdfiiieesandd'ifiMdhdskiin 
conjunction witlHn titeannuallaaiiiMt tdfthbdJdppEtrtmiafiJ's 


performed toy KlPMG HUH? ,thbeC Olid ea>6 f I Irepsci tw r 
General ((OliCiijjcaomttiaitaiLitiitxDr. QOtGanddl®M®QUwrkk 
included amailKydss anxti ttestlhggodiI gpmeuai I appHdatiimn 
controls for sgsttemssasswedl kaswuMieeaihlblii Lrtyindel 
penetration testing of networks; ami,, 
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Appendix 1 (continued)) 


• EvaJiuHt^amttmcocpfpialatidi^iceBeitel trf ©ftetiheylsqrber 

security mviffiiVv\«wklppdifmiHibd)b^)nH,GvHM®3Qiethe 
DepattomarttssCiiW56e© f> f'dctejttfrahrferfi) tSssighg ItActhc 
GovemirnBiitAV'Cociunthbiiyt f) Oifcf$c((f ifAIiK)Gi)n <& n d 
internal] ffitqpartlHBatisatdiiiies. 

We alls© eswaiiiaMdctttb CBpipiiiirternKt’R t i sijphptieinotati tut i oh t bf the 
GovemhmmttFRejiffrmiatxcandiitdi&Mtts Act and dtetemirradd 


cyber ssmrrtyy. Wedcil duMateiy 1 yoidhp kyifitn) mpimtpnter- 
p roces'sadl dfettettcs a titifsjf y> mjuo tej bptotese dd c M«m®Y <cn m p trtpu tc r- 
assistedl audlitttxoxM awmaiaesidDtpepfoforprtfbefcef ©frkaurkous 
netwasnfaarrtdcbliwes. Wfe'a alidtdadcttiihe'flffiku tbt' tWetfesiasibys by 
c onfimmngtHeeweakkasesssediddoteded'ittu tb spasipxihki tote-sites i te 
personmnd I aantlppe hfiorrmad <d> fhtirep ip oadsaalcNtte batkdiysfy 
ourselteisasstttlhberffMblaftitiyt^irahcioaaapapBatcanctf tMettietalata 
produmoil Hyythteettfefit.s. 

’Hlhie cavil Uutliion was cxonxiluited:! inm accordance witbhggenjearlly y 
accepted ffijavernmnana ktadidhiigi gtatahtdckdk) ifpe iffeifoairrcan ce 
audits andl irmliMlddciaslstg) ixintBront a-hnteirtkiindradmplnpiktance 
with laK^anddreggidtttiraikotthdiexteotenfeaesmsohy ststisfiyi sfy 
ourobj|®aiK\ 0 c. Accoriiiiig|^,wecaaseeseddriteltffliaiaiarfl)nth)ls 
regardim^H tHjacMfiabippTTOtnanidi thi pifxtaantattoti (oxf aiftontatedited 
systems. ffib33aameoounrerereR®vwasitlsitiiteiicd, it wouldl imtolt 
necessami^Havecd(ib6ld6£s4 dliilhietnah abutrotlickt Icikibnciimc: i es 
that matyHm\aeeea361d<hlatithditriemiftolucs ueiv akmlukatiLon. 

O f ficitalks rtrimlttibiODIfi be e ££ hi b fdfi f q fmati o ri (MStisfircer 
waived! tfteascit tcoaifbBanceie. 
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Appendix 2 


PRIOR REPORTS 


Office of Inspector GencfaJUtepuftitfei 

• IizvffMdiifm HSiqnrt on Intemmll Contmihsffnr Emmmng urnM^Hipfxknmgpi^npilaisifi^iid 
Computers -attLos Alamms/Uttiiotuil /Laboratory (DOE1IG-0734,, Wjy Tlf+ec 

report di setaedl tttatt IEo,s Alkanma>«sN^ttoonhLlihboi^ x)i cli dtiu«rk xncuirahy) I y 

with internal oontticdksapgHcohtbJeMwesKeeswiagiadd surplusimg aimanqpitter. TTfii ks 


unclassified dtociuirnioitte. Tllte reppwttt frDuiilltthat ILX’ML toad not, as required, 
sanitized the lhaiidltWN^prrapnixppooeesmgghb^ompptotefflsiexmssteiAspl'plLaniind 
removed the Ihmidl^K^priOTrtfcatotBMermgghhffiempiptotefcfcs'aSaltotrDuaittitliiDn. 

• Special ffinij/msrv ReportM^latmgttaotikellifjmntment oiff ILaeirgy'ssffkspmnse to u 
Conlpromise o$Pansamm/l Data,, July 19,2006.. TTIte rEpp*>Tt 1 fiteimiakktotiatthibe 
Department off fimetgjy(©fepaartnamiD^? hhnddihgggifhheampipniiHesofoJifascsmaic 1 
data was larptJlyy , d^tumtljmalilaaddltihiithha)ppamtirMl;tiiadii)lipmgiiut a] 
breakdowns woe (EauBsatlH\ycp|MSStaxuiablhiarranaggrinilajujdglgmfiBts siggifitioaitnt 
confusion Ibyy key deci sion irnrulkms ass tte> 1 i rressaff authiaiiitjy,, ltspruraHii Itit yaurid 
accountability; ipowim&rraltewmmnraautioasincihidiHhigtg Ink k'fefafamdinlainktiiK)ri 
and a failure tto stouKgssferniMliMitxDnmtiitonnamrmggklefyaffiadaldsanddinmffffiieiiant 
follow-up on eridodlk iingomtaititi ssauesanddldeisttsimis. 

• Audit Report on MfbrmalitimT'eclmology Slipport SSetwices at the Department off 
Energy':* Operating CmptrwcThsw.s- (DOEIIG-0725, April I MW fit)). TTffKretptmU't 
revealed that ttHne IDfejpuTtmrnt lartodi am diifeaiti iwffi meamscxt) I jnnaMHjgtijgantfcl 
controlling cvomtamtorinitipnnianfaixtinutchhohlggy I(TJ) support sowesstoate. 'The 
Department hard mat asstiHi 1 stoladdaacaninppchbnBBj® dikmmwxkr W hibh tv wtdd I d 
provide a coftpHtatte-wi ilk apyptmxhht <kppm klih gg TIs i$ppp*jrtetmi veseth tit atiohudkeded 
contractcM'-mamaggiilsitess. CCcxiwtiitiiatxtxiH^vw eraino tag q herd At raoKum ululate 
information ©in O cuoKlkscwiftiiiiniiithh it to Federal offidailk. TUten^nrrtcdtsddiseddhikmt 
a number of aQrnttiaiato.iTssdiiLliiaaUmiteyNcappitu'aiotitrakkiliQirtiibRidcirn'ilqigojirot't 
costs, prevemiiBii^cuontmutwniraaaDiaggureuritiHdtFFddnttidtiffiQial&faini mamtuiming 
visibility over tttoe cuanpimerrii tunas*scxfif Ituimririhsdls'erwcess. 

• Aliclit «mlMmitigenrrBtito^fUletCDppMineati'tT.DDdstlapiCtSnpjptieteBSftHfiarmre 
Elplerprise Hcmm’Aygemrmttis (DOEIIG-0718, January MW6)). TEterKpartt 
disclosed thaitt tflnellifepaiTtn^tlihaktirwifiiliMyititliUzddiDdekiaiignfcdl'fifaQtev^'sysitxi^is 
to manage ittsiw^ta^rffssrfftvaacdihemee^oDtdQrhtakltiidneat^eMjflxiialgpg 
licenses. Spedffliol%,tltereq^ttsSfiJiiddtlilanfeithe9/isihddckiatiei'iiotcgMbltDtprpRddede 
accurate informutittni lBiguxllnigssxti'ltwiaeaiinainnlunnoesanddisE^gduhitotththfeficfefof 
effective systtenms lk«rUTtdsRnagssiuibhi inifidxDtminLitio n .IWktes piptgrgBssis imadadm itrhth i s 
area, the Depaurttnraxeintt vwi 11 lotiiiTtitiinittacbdilaaealiiilfila u Lt hyivsHSosHua gcg^ktcwamaadedsnailn cl 
usage trends, enmiiin|gd'ft^tv«\uiilzatiita)iin)dfesKsitstiggitot x n?K;suid'idremi3iiirgiBhtilnat 
enough I icentNess ffijdkttttis^qDjjjfMn tssdifawaaard n nut 11 dd (d> nr nlekklbp >p s. 
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Appendix 2 (continued 


• EJ’ttfridtliMMepontt(wvtkhd)fyuirtv v inient''.$ Unclmssifiedl CyhewSeeuuiit}tpibigrgmm - 
2005 (DOEFIG-OKOIOlS%f[M«iri'tbe2QCI5)p)TflehsepeptataSfcatetalathhfetbererwcrc 
contmimllsyjsttenhiqppafbteliran hii tiieliDd^QiaaoirBnri&U'yteytecBcicqtfit'^gnm'irhrtii that 

e x possdl tlte LBhpp jititnrn a th 1 s ywte in grt® tmanareaffi^eidkbkiMTqOTnpieariiT&e ©pfeireport 
cited mcalbresssesLiin theeI txtlkkwing a nmsi s sysjete3Tisventem^QiC)Qntaigeng^ncy 
planniiing, napmrtihggpd fcylytesesBiritig tiyuiidadtsp ticcsssoasKCml fcfcsbg nsggmgtitif) n of 
duties amdainrff^jttttiDniTOaagem©^ t Tffee^pbidrlErasaicKtedt'eid Jetlsl^stpaalpart, 
becauuise jpnag^iniaaricfifibl dleteemttsi tii dl nb n olwtiysaiyB p tapbition porppinljper I y 
excauitlicIDlqpmtmctoritamillEddcahtytybcs'emritytreqoqia lremrtsnts. In addMmrqtltee 
Dcpartinmaitt lhuIlnraxDt aiUAag^stlkfeQnadinaatilggasbFetessisrteicfledQtirthr^nigh 
independkatt reviewsttosttBCTgdtbaritrteyiyiraeem'Uy([yiptutiturc. As aoDMKaqpiEaia'ep, 
the DepuUtinemtssimMonffldJMOH^sveteTrisidnTiliwto't'ksT'tenariniiiatiritkr'iof; of 
compn®iniRec. 

• Spmiitill Hfafltxwt t cm Mchmigmmmt Cfwillbnyys sutitltb(Dfyupari-mrtt i 1 ofEnen g$y 
(DOEJIG-0712, Decemillmr2fllBJ3). TIHee report idknitffedliraMnniiilatiia)retihjhilo^(ygy 
as one ©tlf Utiii'IDkppiaitTtiiHDth'KrmKtstigi'gficfiaUDhdteil^fiMfdiitellitodTtiDnngonagplmcnt 
weakness^inUhlmidBppaaitimflM'sanSrafstralatiiir&jrd’.o T© atedkc dip I ©rd u\ie-l c v e I 
Departmental I maanaggameti t officials have focumedlthettriafltteti rin>ra)io>rniprprort'gng 

c ylhar security posfluire. 

Government Accountahiiiittw Office Reports 

• JnfhrmichtiarSecubrity: Wcltbkmsse.PeimbtniditFb't'ritfrtrl A^imdinssnbspfletP/dgrgs^ss 
Meidte imllnjpItenimHhiftPehtiasdl SMtUiwypRpiptirmeeiti H , (GAO4))5d502> Jliljy 
2005). The Gove™nmittAYcountithliit}tpOifded(fiAIA)(D(>iJrMliipdipfaKvmive 
weakmessassim 24 nrajjirraiggeniHK'a'rifdmnatiQrosesQciliyippptihsiamlapriupruetices 
which tdhtiaal&rredri tab a n tetgigtyl yanfrdedtiai i t$l i tap <&ndaalaki illaty bf)Fefl©allerul 
infonmatonianddM(fkmntitiB)Hy^6tBsnsAcAes}essatDa]ts(#gm'(M(d: not effectively 


duties massmniccinRhsKtQti^yiiiipiptoentmiedontintiiiitiyutitv'copeaipiMinn<ptenpIugnMsg was 
often imaritafliatop;anddssooritytpipgjgnamsewcramfit Ifyi 1 lyptaptertehafedhst the 
agencies. Gi^CDsMtaddhfatallhdTsesweakaleasjssesistadtpdipairiigibbpiusmagertffjgricies 
had not yet fully i mplbrnimtclds strong giiMkmmiomsesuchtyi tWiiinragtiigeiiitupirt)|r<aigKain s. 

• liffimiMHtiarSeampy.'EEnurgpigy CyhetrSmwitud.tissues TUln’crterteFk’tkmll 
Infii-m-iuiimSypienmiQAiy^BbSSi 1, May 2M05)). (5M3Df<&smddhhtatnanjnycHetkiraI 
agencies lhall mrt tl Mlty \a ddtfaxsetb th ehid srk s krf efnsnjpngi aghey tecisrityithyeahreats 
(spam, ipitraNlhtqgiiwld spywaTe))asspjffitt(xblhbmrQqqderldg4®eT5'ef'-ld.qcilial'iirfrwtnuti()n 
security pcsgpxmss. Iin adititiaxnn PAAOcftrmih thttt dedetklragoiasans iweiwfflKfi n ot 

c onsistortt ly rappxDtitng g noicfedilH talolpapjuph piiiirigjtgtdin d spy wane ttoaaaeototth I 
federal eanttiity. 

• Jr(fi>)riMiltionlSe£iu>iift\WddBrtcdt$geieGiN£$&fatadtflqpmxwGI3iittr}btov<0V<WiWtf$fi(’ss 
NdtnvmMss (G AO-05-.'MS. lVMiy\2D00 Ji) .GtAjQGMoiditMh SteHeddrstfeageksi badmdtn ot 
fully itnm||dliiraimitdd IkpyaniiMcd^ssacilalasts policies,fpTtttticcestmddaobI&>fap|tapeitiffltgng 
wireless rnetwwkkseeuai'tyl.y , r fThhtfkcAI'(4dy:y(xnl)ntlH-iIs In ftMarail agencies wmnnts 







Appendix 2 (continued)) 


that 

vulnerabilities. The ttqpoiiU tfoiuinnd significant secimri% vtmikiBSse&saatsixxnraajtjior 
federal agencies iiraJ Lull irsgsi gnaii 11 tekhgee i n nseu tec (anti ijiiguutabi wia fod' wa tel ess 
equipment),, ciatrtii mmiutiiiiTKecidcbievae t; .s. 

• Inft?rH)ldiitmnSecurity•: Bmprmmng Oversight df Access to) PkdbtictllSiyMtmxmdd 
DntaibfyyGcmttxiutttm Cun Reduce Midi}, (GAO-05-362,, Apiill2fl@fi^). (5M5) 
reported that MoMt(otf'tttea^iw®ssresia<s\wddl(iidint)hiKie (p(p*i)dieteon:pipKd6l«ie 
guidance inn key areas for overseeing iflteinfSaTTiMiairLseeiaiiiftiJ'pparatitieestfef 
contract«M^,ttffi©mutecamipilaffl0eevwtillbcoQntracfa‘qv|iiEimmtBtaiididgM)ei5cy 
infonnmaiiKoim samrat^ypniiciess. FB®iesanipJdpG0L®Qi(itett<thdtatiggnQyy polKafesdid 
not describe (owensiphtt mssHwaWs (including control cdf agency data in ;un (oilfi'-^itte 
facility); the Ifiiespmirtay toffim\ieaveso® rua ssesHra a nts k ky mmmgtgcmumcminbf o ls> to 
mitigate unaiinkariMHill disclosure tf information; physical/fogjkail access controls; 
or the initiuoxdluLttiiioirKdf unauthorized! Ifcutums, i ind todiiigg. \Wult botifctsab lp<p>ki>i‘ie>cs, 
agencies may not be abllettedlifecliMal^yaaidMffddgnti^yiasessJhbseieraitjtyaiitribiels 
of contractor (oi^iiadtoimscm'cnlleriiLiecKswkhlppwiielgedcieicexssatffetlalaiahdalaiimiid 
systems. As ai iitemilt,ffii'^0)aj:imxliliialdddltihtitiggDoiavaia3'(audii(n(£ctseiL'd sisklolcisisigg 
control rfiimKwoKlkiX!onremt<imRS,e(rppciaDDUiQgminiaii]rt(hiKii'.ixtdHfsofof information and 
maiiekiQS activity that intooxdhttirss wi ras^aafflddworann s. 

Office of Independent Orersagfat 

• I) idcpht iihohii (t) ve r sight Cyber Semirity Imqpmttmn ioffMqePRuMg, Plaimtt omldlm 
Puntex Mitts' (Offline, May 2006.. 

• Independent (OkemidiltlimppettimiofifS^psnrS&salhiity chittilie Sffffl umlnRivebSm;, 
April 2006.. 


• MdkeppedebahOversigflt UirnmnonnccsUPeitkimtikm Test (Red Taunt})) (offWapHirtimmi 
of ff£jm}}x/HeHdclal(iiKti(it&rpebruary 20(0)6. 


• Indepmdbntt Oversight UmlmrmM€<e.dcPenetmtikom Test (Red Imam)} (offtihe 
NutiimudlRiummible Energy lulbimttmy, January 2006. 

• /ndlqptmdhvtilOversight Ummmmnimd Pemttnutiath Test (BfiedlTldunn))affldee 
Nutidmul! MiidlnarSdtmriitAAtbninistrvitthm Service C'anttw;, November 2005.. 

• DOE CyjimrS\xmt 'ntyIP(njij(ei:tTL ; mmEHHnniuii\y Repaint untilffltim cofAction, 
November 2005.. 
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Dep u n rert tof 

Wa 0 hingtor>, DC 20685 

September 15, 2006 

MEMORANDUM FOR fe.Hft&SS 

DIRECTOR, OFFICE OF PERFORMAfgf 
OFFICE OF iNSnKCnrOR JL/_ 

FROM THOMAS N, PYRE. JR, 

CHlIEfl TOI10MMATI0>fJ0FlHIKHR< 

SUBJECT: Draft Evaluation Report on "Tlte lllppuiirt merits s Mrotlusstfkli 

Cyber Security Program = 20®®'’ 

Thank you fbn tlhtopportunity to eemment on this draft fgpert.. The ©ffis#<9ffithe<cihifi f 
Information Officer (OCIO)) a|ipt^tatSS\>^iinut}httteiSftotliMtiteggaeeiAttolthls 
comprehensive report, TlheiirifotnTiationiinithsirfjpQrtxwlllisnftttiecOCJniartdllb^progrftmiPlfOiges 
to take appropriate foilbiw-up action on specific findings, as well as to continue I© work in the 
most effective way to impriews (ft® ©spathnantss igyte segatffey [poaUite WtoMtMirrwiiiltheaathdfr 
the recommendations iinthhereppht. 

We appreciate the recognition! in the report of the ongoing DcpartmenPwid® ecyltar sanuiitoy 
revitalization effort. The Cytar SianurittyflfesiitdlBatiiianKhtnasJtdtiiisitessaaggwveimanerffaaiiessiVxikk 
for cyber security nnanagertmemit inn the Department through a partnership bettwaan CMUt©:untii the 
Under Secretaries and otter sarirar rataitaganiHnt ito [provideLadeftuateipnWecitiunn <dfaill IDXQIE 
information and information systems Bffimtts lts» (dale inniplamantingtlhclftizn iitetodk: isawamoe by 
OCIO of cyber seoinmty jgu ttianse(on: Wanagenwnl, Operation, and TadhriicdldnitlTritefBar 
information Systems; Gantiilficatiiaii and Accreditation; Risk Managemanut for Information 
Systems; Vulnerability Management; Interconnection Agreements; Plans affy&OfhniK and 
Milestones; Contingency Planning; Password Management; Wireless !Dte»iiBes;lKMk 
Management, and Petrsomtalllhy HttamiFtElidle liilfamtiaiton 

Also, during the last year ate Cyter^Buii%lBjB3mtiraeeStoihgg Committee was established, 
which guided the devefioipwaant <dflike IRBMtulIi«aii(iinlfl Ian,;and we also estaMudtasIl iilheCGjtbflr 
Security Working Group, imdHritlke Steering(Oammlttee,tlhat|pariMf'pMes atathwhlyiin itlhe 
development ofcgyfeerseeouitiJygguJdaneeiaridrirDdthEcy^teEffleBUtjty activities. We have made 
significant improvements Kxaurcyttiariincuiiflntliiandlirigaiupdhlitty.iitaxHMldiiingiihiiuaMng 
continuing action in neail tuinnne- by a Department-wide cyber forensics team itlhat (addresses like ifiwait 
serious cyber attacks that we flaoe. 'WfelhowiiBii^noixvrdiacimriiinaiiori about innaiieilis wiihfflilter 
Federal agencies and impirwwfldl ir(ppfflttuig.dhaut(C, 5 Hiflrimbid(mtsitotttitcllnppecti«)if{uoneilil and 
other key Department organizations. \Welhu,ve(engag.adiin;a(flontmuitig-syiberseauiitMyi»wftroBass 
campaign involving DOIE senior management and the entire complex. ie«ipJ3oidllhy\wiihiregarii tto 
actions everyone can take tto impuov£(Oiir(t\yheTssimurit,y|pt>SUra; 
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Management ©anrnTrsrtte 



CUSTOMER RESPONSE FORM 


The Office <rf inspector General hmaitmmittuihggimteeissfiiiiriittppBMkigghiiBseMitthBsssfijf 
its products.. Wewislh to make ourjejpsiitteaKi-^pmsreeaaspposibhElactGDttiuciiatefcQiBTsfs' 
requirements, smalt.dtaicdkwte ,;aikMaatypaicooHkide e hiringy oimithtkuitlgkitwit'dth ills. (Dintthe 
back of this ffomim, xyoniimqysiu^essliiiiippaiosmeaRt^tetcliithioe- iiihielMfaateneRCSii' (frfitlintairc 
reports. Please inmdhi&anrsA^sstCothbd'didlttauriggiqei^drairiifitfcd>e§(rarappl^blifcl© fcpoyou: 

1. What additional!! HmfiiigrmrabiMformtdtdiombbQUthfesffifebadtwRrHciidthdirlgRgespeperor 
procedures off llltoe inn^puct (tJT'ivwxDiilidldihaecbbeurh fa if! (ifLitkt(Dhkfa ecrittiildin 1 rundetatataikiiiigig 
this repeat'? 

2. What additiKomull infkoraiTUltimireiiiaiictbtKt'ilijdiHggfflndiieiaayTOBruliitirttiHrsxtrlxilillQhktavc 
been included inn ttfc iiqpoiTtttimsMStiimangeuiBontiiTiiTTpIpltieiuiiiitiirigcu'iufccLvteviuciictoi'is? 

3. What format, M^faticc.cm'cn'giuTiraaitaxtinlibhiuiggcsiThjyihdii^ia'cirRltilththii'epcptk't’s 
overall message [n»m'dburUx)ttfea'eQaldci > ' ? 

4. What additionDai amtoi^cKnLliUttteefWfldea^fliiHppcutrtf jGweiciikttid^&'aitaiivnmrtithe 
issues discusssil im thi ks report wllniidti vwnLlitlhav^ltenitilai'ibitiilitlJ'? 

5.. Please incluidle fiouiit nunr&'anttltfei^hkwiiieuiunihbcsottHkiUwiniiayiycuiimtiiqtcyitisiwbiiflJialltl 
we have any queestiinrs about your ©tamnerrtfes. 


Name_Date _ 

Telephone _ Organization! 


When you lhawe completed this franmn,, )Mouimuyvtfeifeiicxx it to the Office rfUis^aettOrr 
General at ((2M2)) ,(wr>v'XHiiiniag>frmili 1 it to: 

Office of im^|Kmto)rCGaiT5irrdl (HEM) 

Department tf fimangy 
W ashingtom. EXC 2ffiSggi 

ATTN: Ciwsttcoiratar I&dhtiurns 

If y«ni wiMlt to discuss this repottt coir )yonrr(unmnmtts\wtiltih ai ss.utffi'irrft]TTh®rrc)(i)ttltilacffDrilaea)(if 
Inspector Geimiaii, pikagffioinntext tJlidi^>GarOidnddSSmh If 2®)25 8. 



This pagpunteffittimaiiyjefefildiiknk. 



The Office tf Inspector General waratKs tto inititetteclitEtilDtaitoon t*iT its repwrtss ass (niHitoinwIlirmitliy 
and cost efffectiwcaspisssatilte. Therefore,, tllhiiissiTetpoittvVMllltemmidiiBtM^tdcuto'nruahih'hhixDgii’hhkiie 

Internet at tube ffMksmhgadlttesss: 

U.S.. Department of EiiiiejigAvCQifiua^citT Inspector Gemmall HftrmsEFBigge 

ht tp: //w w w. i g. en e r g y. go v 


Your commoMtewoadliiliKappprecdattddandctanrbb^prciiddifibKDtihdietLstotneindid^popse^eaFkirm. 



